Monday, January 30, 2012

Hawaii may keep track of all Web sites visited

Hawaii's legislature is weighing an unprecedented proposal to curb the privacy of Aloha State residents: requiring Internet providers to keep track of every Web site their customers visit.

Its House of Representatives has scheduled a hearing this morning on a new bill requiring the creation of virtual dossiers on state residents. The measure, H.B. 2288, says "Internet destination history information" and "subscriber's information" such as name and address must be saved for two years.

H.B. 2288, which was introduced Friday, says the dossiers must include a list of Internet Protocol addresses and domain names visited. Democratic Rep. John Mizuno of Oahu is the lead sponsor; Mizuno also introduced H.B. 2287, a computer crime bill, at the same time last week.

Last summer, U.S. Rep. Lamar Smith (R-Texas) managed to persuade a divided committee in the U.S. House of Representatives to approve his data retention proposal, which doesn't go nearly as far as Hawaii's. (Smith, currently Hollywood's favorite Republican, has become better known as the author of the controversial Stop Online Piracy Act, or SOPA.)

Democrat Jill Tokuda, the Hawaii Senate's majority whip, who introduced a companion bill, S.B. 2530, in the Senate, told CNET that her legislation was intended to address concerns raised by Rep. Kymberly Pine, the first Republican elected to her Oahu district since statehood and the House minority floor leader.

"I was asked to introduce the Senate companions on these Internet security related bills by Representative Kymberly Marcos Pine after her own personal experience in this area," Tokuda said. "I would defer to her on the origins of these bills as she has done the research and outreach, and been the main champion of this effort."

Pine, who did not immediately respond to queries, has been targeted by a disgruntled Web designer, Eric Ryan, who launched KymPineIsACrook.com and claims she owes him money, according to an article last summer in the Hawaii Reporter. Her e-mail account was also reportedly hacked around the same time. The article said Pine would advocate for "tougher cyber laws at the Hawaii State Capitol" as a result.

"We must do everything we can to protect the people of Hawaii from these attacks and give prosecutors the tools to ensure justice is served for victims," Pine said at the time.

"This bill represents a radical violation of privacy and opens the door to rampant Fourth Amendment violations," says Daniel Leuck, chief executive of Honolulu-based software design boutique Ikayzo, who submitted testimony opposing the bill. He adds: "Even forcing telephone companies to record everyone's conversations, which is unthinkable, would be less of an intrusion."

Mizuno's proposal currently specifies no privacy protections, such as placing restrictions on what Internet providers can do with this information (like selling user profiles to advertisers) or requiring that police obtain a court order before perusing the virtual dossiers of Hawaiian citizens. Also absent are security requirements such as mandating the use of encryption.

Because the wording is so broad and applies to any company that "provides access to the Internet," Mizuno's legislation could sweep in far more than AT&T, Verizon, and Hawaii's local Internet providers. It could also impose sweeping new requirements on coffee shops, bookstores, and hotels frequented by the over 6 million tourists who visit the islands each year.

"H.B. 2288 raises all of the traditional concerns associated with data retention, and then some," Kate Dean, head of the U.S. Internet Service Provider Association in Washington, D.C., which counts Verizon and AT&T as members, told CNET. "And this may be the broadest mandate we've seen."

Even the Justice Department has only lobbied the U.S. Congress to record Internet Protocol addresses assigned to individuals--users' origin IP address, in other words. It hasn't publicly demanded that companies record the destination IP addresses as well.

In Washington, D.C., the fight over data retention requirements has been simmering since the Justice Department pushed the topic in 2005, a development that was first reported by CNET. Proposals publicly surfaced in the U.S. Congress the following year, and President Bush's attorney general, Alberto Gonzales said it's an issue that "must be addressed." So, eventually, did FBI director Robert Mueller.